CVE-2026-47162

Published: Giu 11, 2026 Last Modified: Giu 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: active

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0004

Percentile

0,1th

Updated

EPSS Score Trend (Last 6 Days)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Other Integrity Non-Repudiation

Potential Impacts:

Read Application Data Bypass Protection Mechanism Alter Execution Logic Other Hide Activities

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

Improper Control of Generation of Code ('Code Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality Availability Non-Repudiation

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

Application

Vim by Vim

Product Information

Vendor Vim

Product Vim

Version Range Affected

To 9.2.0495 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179a…

https://github.com/vim/vim/commit/f08ab2f4d7d2947c8dd6c179ae08ee6146a2694b

https://github.com/vim/vim/releases/tag/v9.2.0495

https://github.com/vim/vim/security/advisories/GHSA-crm5-rh…

https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c

CVE-2026-47162

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 6 Days)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Common Consequences

Applicable Platforms

Improper Control of Generation of Code ('Code Injection')

Common Consequences

Applicable Platforms

Vim by Vim

Product Information

Iscriviti alla newsletter